Skip to main content

Remote MCP — HTTP/SSE transport

For server-side LLM applications, claude.ai's remote-MCP feature, IDE plugins, or any MCP client that speaks streamable HTTP. Same 144 tools as the stdio transport, but instead of holding platform credentials the server passes through whatever JWT the caller sends in Authorization: Bearer ….

Endpoint

  • Public URL: https://app.proofarc.ai/mcp/
  • Health check (no auth): GET /mcp/healthz{"status":"ok"}
  • Tool/resource calls: POST /mcp/ with a Bearer JWT and JSON-RPC over streamable HTTP per the MCP spec.

Getting a platform JWT

Standard platform login:

TOKEN=$(curl -s https://app.proofarc.ai/api/auth/login \
-H 'Content-Type: application/json' \
-d '{"username":"admin","password":"…"}' | jq -r .token)

Tokens are valid for 30 days by default (see backend.jwtExpirationMs in the Helm chart values).

Sanity check

# 200 — no auth required
curl https://app.proofarc.ai/mcp/healthz

# 401 — bearer required
curl -X POST https://app.proofarc.ai/mcp/ -i

# 200/202 — MCP handshake (server returns SSE/streamable JSON-RPC)
curl -X POST https://app.proofarc.ai/mcp/ \
-H "Authorization: Bearer $TOKEN" \
-H "Accept: application/json, text/event-stream" \
-H "Content-Type: application/json" \
--data '{"jsonrpc":"2.0","id":1,"method":"tools/list"}'

How auth flows through

caller (Claude, etc.)
│ Authorization: Bearer <platform-jwt>

proofarc-mcp pod (Starlette + uvicorn)
│ BearerMiddleware reads header, stashes in contextvar

tool handler (e.g. list_projects)
│ PassthroughProvider.token() reads contextvar

platform_client.GET /api/projects
│ Authorization: Bearer <same-platform-jwt>

proofarc backend (RBAC enforced as the caller's user)

No platform credentials live in the MCP pod. RBAC is enforced server-side as the caller's user — the MCP server is a stateless protocol gateway.

Connecting from an MCP client

Any client that speaks streamable HTTP MCP. Examples:

  • claude.ai remote MCP — add https://app.proofarc.ai/mcp/ as a custom server, set the Authorization: Bearer … header in the connector config.
  • Reference mcp-client CLI:
    mcp-client connect https://app.proofarc.ai/mcp/ \
    --header "Authorization: Bearer $TOKEN"
  • Server-side LLM apps using the Anthropic Python SDK or similar — point the transport at the URL and inject the bearer per-request.

Failure modes

SymptomLikely cause
401 missing_bearerNo Authorization header. Add one.
401 missing_bearer even with headerHeader isn't Bearer … (we reject Basic, etc.).
Platform 401 surfaced from a toolThe platform JWT expired. Re-login and retry.
PermissionError: No Authorization bearer presentInternal bug — middleware should have rejected; file an issue.